I just published a post over on the SecureState blog about how to hack your location using Facebook Places. The post brings up some interesting questions about how social networks are going to have a problem with fake location check-in’s. In the meantime, it’s a way to have fun with your friends…:-)
Tag Archives: socialmedia
Hacking Your Location With Facebook Places
0
Filed under Social Networks
Tagged as facebook, geolocation, socialmedia, socialnetworking, socnetsec, zombies
Tagged as facebook, geolocation, socialmedia, socialnetworking, socnetsec, zombies
The Story of a Security Guy at the Marketing Conference
Filed under General Security, Social Networks
Tagged as conference, HR, marketing, policies, PR, security, socialmedia, socialnetworking
Tagged as conference, HR, marketing, policies, PR, security, socialmedia, socialnetworking
Last week I was asked by some of my social media acquaintances to be a panelist on a end of the day keynote at the Online Marketing Summit (OMS) held in Cleveland, OH. The first thing you are probably wondering is “What the hell is a security guy doing at a marketing conference”? Let me explain. This isn’t the first time I have done something like this and it probably won’t be the last. Read on.
In many companies the marketing, public relations, HR and other “business” functions really don’t want anything to do with security. It’s true. We always get in the way by stopping money making and/or great marketing ideas with phrases like “If you do that…the hax0rs are going to pwn us!” or “No you can’t, that’s against our security policy. Go away now.” Unfortunately, all it takes is one bad experience from the “security people” and they won’t want to work with you ever again. I’ve seen it happen many times and I’ve even been “that evil security guy” at various times in my career.
It’s because of this bull headed attitude that these departments start finding ways around your policies, procedures, website blocking and more. Why? Because security people are increasingly impossible to deal with. Too much red tape, policies, rules and most of all…lack of communication. That’s right, I said it. Lack of good communication. When was the last time you talked to these people in your company? When was the last time you offered to help them with a compromise or solution rather then saying no? This might be a shock to some of you but these are the people helping make the business money. All of us in security are just an extra expense to the business. Don’t make our jobs harder! Here are three steps to help communicate to these people better:
1. Get out of your shell
We love to hang out and network at security conferences and user groups. It makes sense because we are comfortable around our own people. However, take a step back and think about what the “business needs” for a minute. You are there to help the business succeed. So go out and help them! One way to do this is to attend a marketing conference. Seriously. You get to meet and talk to people that want to help the business make money and know how to do it. You also get to learn what the business wants. This will get you thinking about how you as the “security person” can help make that happen while keeping the business and its information safe.
2. Learn something new
What does marketing have to do with security? All kinds of things! SEO, blogging, social networking, social media, brand reputation, monitoring and more. These are hot topics right now and there are serious security and privacy issues to be concidered. You need to be involved! The best way to do this is to attend their conferences, read their blogs and communicate. One good way to get involved is to look for a local social media club in your area. We have a great one in Cleveland and there are others in cities all over the US and probably the world. Attend, learn and network. It can only benefit you and your company. Same goes if you are a consultant. Meeting marketing people is a great way to get new business because they usually have a direct line to upper management at a company. They will also be so impressed that a security person actually took the time to show up to a marketing conference…they might call upper management for you. 
3. Teach and Educate
We have all “beaten the horse to death” regarding security awareness. Many in security say it doesn’t work and is a hopeless battle. While there is no patch for human stupidity, you still need to make an effort. If anything, by you as the “security person” showing up at the marketing departments monthly meeting it shows that security wants to be involved with what they are doing. This alone says volumes! Especially to management of those groups. Get out there and explain why you have certain policies, how the security team functions or better yet…how you can help them market the business and do it securely.
Facebook Privacy & Security Guide Updated to v2.2
Filed under Social Networks
Tagged as facebook, Privacy on the Internetz, socialmedia, socialnetworking, socnetsec
Tagged as facebook, Privacy on the Internetz, socialmedia, socialnetworking, socnetsec
I have updated the Facebook Privacy & Security Guide to version 2.2 over on SocialMediaSecurity.com. If you’re not familiar with the guide it is an easy to use guide which helps you set the recommended privacy and security settings on your Facebook account. It’s free, printable and meant to be shared.
This update includes details on all the recent changes to Facebook’s privacy settings that went live May 26, 2010. I have also included more information on “Instant Personalization”, removing yourself from “Platform”, and how your public information can be accessed via the Facebook Graph API. Note that you may not have these settings enabled on your Facebook profile…yet. They are slowly being rolled out to the Facebook user base and may take a few weeks. Please share with friends, family and others!
Download the latest version of the Facebook Privacy & Security Guide here.
My Thoughts on the New Facebook Privacy Controls
Filed under Privacy on the Internetz, Social Networks
Tagged as facebook, Privacy on the Internetz, security, socialmedia, socnetsec
Tagged as facebook, Privacy on the Internetz, security, socialmedia, socnetsec
Ever since I started the Facebook Privacy & Security Guide back in October 2008 I knew that Facebook’s privacy settings were confusing for the average user. Many of my concerns back then centered around friends and family that had no idea there were even privacy settings to configure on Facebook. It has also never been in Facebook’s financial interest to *really* show you how to protect the information you post. These are all reasons was why I started the guide and hopefully over the last few years it has helped spread some awareness on how to control the information you post a little better. Working on the guide has been frustrating at times because Facebook would make settings more confusing, remove settings that were useful and then bring them back again in some other form. In the latest versions of the guide I often wondered how I was going to fit all the settings and their explanations into a two-sided handout. The handout format has always been important to me so it could be easily distributed.
Jumping forward to today we see yet another iteration of these settings. I don’t have the settings on my Facebook account yet so I haven’t updated the guide but I have read some of the information already out there. The EFF has a good post up about the new settings. They even have a YouTube video showing you the changes and their recommendations. The other post you should read is one by theharmonyguy who, as always, has very good analysis of these settings and Facebook overall.
My thoughts are pretty much along the same lines as the EFF and others. However, I will say that no matter what changes Facebook makes to their privacy settings they *will* find ways to use your information to make money. This is Mark Zuckerberg’s business model and that won’t change anytime soon. I will leave you with a fantastic quote that I think sums up all the media drama leading up to these new privacy controls. This is a quote from Bruce Schneier. It’s from an article he did for Forbes regarding statements that “Privacy is Dead”:
“It’s just not true. People, including the younger generation, still care about privacy. Yes, they’re far more public on the Internet than their parents: writing personal details on Facebook, posting embarrassing photos on Flickr and having intimate conversations on Twitter. But they take steps to protect their privacy and vociferously complain when they feel it violated. They’re not technically sophisticated about privacy and make mistakes all the time, but that’s mostly the fault of companies and Web sites that try to manipulate them for financial gain.”
Privacy and Security of Open Graph, Social Plugins and Instant Personalization on Facebook
Filed under Social Networks
Tagged as facebook, informationgathering, opengraph, Privacy on the Internetz, socialmedia, socialnetworking, socialplugins, socnetsec
Tagged as facebook, informationgathering, opengraph, Privacy on the Internetz, socialmedia, socialnetworking, socialplugins, socnetsec
As most major news organizations and blogs have covered the changes that Facebook has made from a high level, I wanted to focus this post specifically on Facebook’s “Open Graph”, “Social Plugins” and “Instant Personalization”. In my opinion, these are three changes that will significantly impact the way you and your friends use Facebook. As I usually do, I will provide a point of view from the eyes of an attacker. As we all know, its only a matter of time before these new features begin to be abused by attackers.
Open Graph
The first significant change is Facebook’s “Open Graph”. Open Graph is a significant departure from Facebook’s previous data connection strategy which used to be centered around Facebook Connect. All of that is gone and replaced with Open Graph. Open Graph basically allows partner websites and Facebook applications to share your public information and the public information of your friends with each other. The other big change which is a departure from Facebook Connect is that developers can hold your data indefinitely. The requirement was previously only for 24 hours (and we all know developers weren’t really holding to that anyway).
What’s also interesting is that Facebook has implemented an API called the Graph API. The Graphs API is how developers can easily integrate their applications with this new stream of user data. In fact, now you don’t even need a Facebook account to search the Open Graph. For example, https://graph.facebook.com/search?q=facebook&type=post will show you 25 recent status updates. Note that these status updates are set to Everyone and it seems that Facebook has put a limit on data you can retrieve with one query (this will change most likely or you can figure out ways around this). Before you had to log in to Facebook to do a search or use some creative Google queries for this information. This is good news for attackers, spammers and data miners. Facebook has made publicly available information even easier to search for and in my opinion, is going to start competing with Google for personalized search results. Stay tuned, Open Graph is going to be a huge area that I will be focusing my research on. As a penetration tester, my job just got easier. Thanks Facebook!
Social Plugins
Social plugins are small bits of code (the “Like” button for example) that you probably have been seeing all over the web. What Facebook has done is added simple plugins that web site developers can easily integrate. Also note that there are many more plugins available besides the “Like” button. Simply run the wizard, fill in a few lines and you’re done. Lets take the “Like” button as an example. If you are signed into Facebook (or not) you will see the button just like you do on Mashable:
Clicking on the button while you are signed in to Facebook posts a notice to your news feed that you like Mashable. The button also works when you are not logged into Facebook by prompting you to sign in. This is similar to how Facebook Connect worked. If you want to “unlike” the page, simply click the “Like” button again. Already, someone has found a potential security problem with the “Like” button that could possibly be abused by spammers. Keep in mind that these social plugins are part of Facebook’s strategy to take over the world integrate their Open Graph protocol. Once Open Graph starts to be more popular, you will see lots more attacks leveraging these new plugins.
Instant Personalization
Lastly, we have “Instant Personalization”. Instant Personalization is the feature in which Facebook has “pre-approved” third-party web sites to gain access to your public information just by visiting them. There is very little information available currently on how Facebook approves third-party sites. Once you allow these sites full authorization, they have the same access that any developer would have to your Facebook information. For example, here is what it looks like when you surf to Yelp. You will get a pretty blue bar that shows up at the top of your browser window:
You should notice that you have the option to “Learn More” or say “No, thanks”. You will also notice how instantly, if any of your friends on Facebook are using Yelp you can see any of their activity just below the blue bar.
Now something interesting happens once you visit one of these pre-approved sites. I noticed that a Facebook application (in this case Yelp) gets installed and allows it permissions to post. You don’t have to even click “No thanks”, the application is already installed. Pandora and Microsoft Docs work the same way. In fact, when testing the Microsoft Docs personalization I noticed the Facebook application that gets installed sets its privacy permissions to EVERYONE and allows one-line posts on your behalf. This means that anyone can see any activity that is posted by that application. Keep in mind that these controls are all being closely looked at by attackers and I suspect that we will see some hacks and/or abuse of this new personalization system soon.
Instant Personalization Privacy Settings
Facebook has put in a global “opt-out” check box in your privacy settings. Of course in typical Facebook fashion they have buried this setting so it’s hard to find. Ironically, just as I was writing this post Facebook changed the location of this setting. So now you have to go down one more level by clicking an additional button to get to the setting (see the screen shot below).
There are some very important caveats about this setting. First, this setting is enabled by default. Yes, that’s right. If you have a Facebook account this setting is checked right now and you are opted in. I had thought that Facebook would have learned from the Beacon fiasco but it appears they haven’t. Secondly, just because you “opt-out” doesn’t mean your information is safe. Just like other Facebook applications if your FRIENDS use Yelp, Pandora or Microsoft Docs these sites can still get your public information or anything else you have made available to be shared with friends. To completely opt-out you need to MANUALLY block each and every application (in this case Yelp, Pandora and MS Docs). It goes without saying, this is a huge pain and I look forward to the long list of complaints and privacy concerns regarding this psudo opt-out. The other problem is that I have already seen posts by Facebook that they already have partner sites that they are going to announce soon. What this means is that if you want to truly “opt-out” you need to keep up to date on all the new third-party partners with Facebook and manually block their applications. This is a terrible control in my opinion.
So where are these settings? Click on Account –> Privacy Settings –> Applications and Websites –> Instant Personalization (Click the Edit Settings button). In the screen shot below you can see the box that you need to uncheck.
UPDATE: Yvan Boily on Twitter had mentioned that you should also uncheck every box under “What your Friends can share about you” in your privacy settings (in my guide on SocialMediaSecurity.com this is what I recommend as well).
I will be updating my Facebook Privacy & Security Guide over on SocialMediaSecurity.com to reflect all of these changes soon. In the meantime, tell your friends on Facebook about these settings and check out a few other good articles on the recent changes. Here are three articles I recommend reading: Pros and Cons of Today’s Facebook Announcements by theharmonyguy, How to Opt Out of Facebook’s Instant Personalization (with a nice video walk-through) by the EFF and Facebook Open Graph: What it Means for Privacy by Mashable.
Beware of Evil Facebook Groups
Filed under Social Networks
Tagged as facebook, fail, Malware, socialmedia, socialnetworking, socnetsec
Tagged as facebook, fail, Malware, socialmedia, socialnetworking, socnetsec
Some of my Facebook friends are probably wondering why I would fall into the trap of the magical “dislike button” hype that seems to be sweeping across Facebook right now. In a little social experiment and hopefully an awareness exercise for some of my non-security friends I created a Facebook group based off of similar ones I have seen called The REAL Dislike Button™ is Finally Here! Add it Now!. The group is harmless even if it looks like there is scary JavaScript code in the instructions to “turn your friends blue”. If you click on the link it takes you to one of my favorite YouTube video’s.
The point is that these fake groups are targeting Facebook users thinking that Facebook has these new “features” like a dislike button and even ones like “see who viewed your profile”. Folks, these techniques and/or modifications to Facebook don’t exist. Sorry. Just in the last week I have seen more and more of my Facebook friends sharing links to these groups. Almost all of the groups I have looked at that were being shared lead to very bad places which I will demonstrate below.
Example #1 – The Typical “Get the DISLIKE BUTTON” Scam
In this example we have one of *many* groups that promise you the uber magic secret “dislike” button if you just join the group, invite your friends to do the same and follow some strange link off to Neverland. This group has 1,162,238 members. I wish I was making that number up.
The first thing you will notice is that there is a link to a Facebook profile they want you to friend. That profile was deleted (your first clue). Next, they want you to check out a link in Step 5. That link sends you here:
Which will eventually install some nasty adware/spyware on your Windows machine called Adware.Mywebsearch.DV. It’s not easy to get rid of.
In a similar group like the one above with a mere 697,375 members the last link takes you to this:
If you go through with entering in your cell phone number and getting the confirmation code per the instructions you have just signed up for a monthly charge to your cell phone account to the tune of $9.99 per month. The monthly charge details is in the very tiny text you can hardly read. Nice. But wait, if you were smart enough to try and close the quiz window, you get this pop-up:
Really? Hopefully you don’t fall for that one even though it shows your real city.
Example #2 – The Typical “See everyone who viewed your profile” Scam
This is one of my favorites as this is another impossible feat of Facebook technology. Here is what the screen shot look like:
Note the PhotoShop job on the notification window showing who has “viewed” your profile. Clicking on the bit.ly link leads you to another quiz application or adware/spyware or other forms of dangerous malware. Don’t worry, there are *lots* of these groups out there. Good times.
So the lesson here is…don’t click on anything in these groups that tempt you with magical Facebook powers! If it seems too good to be true, it probably is!
Twitter: You’re Doing It Wrong!
I see some crazy, mind blowing things posted by people on social networks but this recent tweet I saw might take the cake. It’s one thing to post something on Facebook where you have the ability to lock down who might see your status updates but Twitter has very little control over this. In fact, if you post something to Twitter (even with a private profile) it can be re-tweeted and/or copied by your friends.
Regardless of settings I think that there are just *stupid* people using social networks. In fact, I think that even if social networks didn’t exist these people would still be classified as ones with “no brain cells” (no pun intended with this example). For example, here is tweet from a girl talking about a job interview she has scheduled with some company:
Now if that wasn’t bad enough…check out her profile picture:
I have nothing else to say but…FAIL. Perhaps this is the start of a new series of blog posts.
New Facebook Privacy Settings: For Better or For Worse?
Filed under Privacy on the Internetz, Social Networks
Tagged as bots, facebook, informationgathering, pentest, Privacy on the Internetz, security, socialmedia, socialnetworking, socnetsec, zombies
Tagged as bots, facebook, informationgathering, pentest, Privacy on the Internetz, security, socialmedia, socialnetworking, socnetsec, zombies
Everyone has probably already heard that Facebook rolled out new privacy settings today. If you haven’t seen them or gotten the following pop-up box on login…you will soon:
There are a great deal of articles already out about how this is such a great improvement and how these new settings give you more control over your privacy. However, I would argue that these settings may possibly open up more issues then they are trying to prevent. The best article on the new settings and the privacy implications is the one that the Electronic Frontier Foundation (EFF) released today titled: Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly. I recommend everyone (no pun intended) read this article as it provides much more detail then I will provide in this post.
What I want to do is provide you with a summary of the good and the bad of the new privacy settings. I also want to give a security professional’s point of view on these settings. As a penetration tester I can tell you that my job just got way easier! You may have read my series on Enterprise Open Source Intelligence Gathering in which I tell you how you can find information on social networks about your company and employees. Well, searching for information on Facebook just got easier thanks to status updates being available using new technology like Google Real-time Search! Ok, on to the better and the worse!
The Better?
- The new way privacy settings are “managed” is a good thing. It’s easier to find and navigate through the settings.
- I like that they ask you for your password to change privacy settings. It’s just another layer. Now, this doesn’t help much if you have a keylogger installed but it seems they put this in to prevent bots that may have taken over your account access to your settings. Again, not fool proof but another layer.
- The ability to fully customize privacy settings on all the content you post. So for example, you can specify if you want everyone on the Internet to view your status updates (more on that in a minute) or Friends, Friends of Friends and Custom.
- Users are now somewhat “forced” to check out their privacy settings. It’s more accessible that’s for sure.
The Worse?
- Your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages are all available to be viewed by EVERYONE on Facebook! You cannot change these settings at all. Note, there is a way to remove your entire Friends List from your profile but it’s all or nothing! Here is a screen shot of this. You have to set it in your profile page using the “edit” button and check the box.These changes are quite disturbing considering that you used to be able to restrict this type of information. I really believe that Facebook has done this on purpose so *more* information is being shared about you while stating “enhanced” more granular privacy settings. If you have been to one of my talks in the past I always mention that social networks need to find ways to make money. The way they make money is off of the information you share! If you don’t get a choice about the basic information anymore…that’s more money in their pocket at the expense of your privacy.
- What about the security ramifications of this? It opens up a whole new world for cyberstalking, predators and other attackers. If you were someone that didn’t feel comfortable sharing this information in the first place, your choice is gone. Sure, you can lock down your profile so no one can search for you but if you do that…why are you on Facebook to begin with? You *have* to let your real friends search for you at some point!
- By default Facebook “suggests” that you set your status updates to “Everyone”. Here is the thing with status updates….Everyone means everyone on the Internet! This is where new technology like Google RTS comes into play. Imagine how easy it will be to find the latest information on “Tiger Woods” or now everything YOU are saying on Facebook, Twitter and other social networks. Enter in some social engineering and things just got easier for attackers looking to use you or your information (which is easy to figure out now that I can see your friends, and things that interest you via the pages your a fan of).
- Lastly, Facebook removed the ability to prevent Facebook applications your friends installed from pulling your “public” information. That option is now gone and applications that your friends install can now view your “public” info. Remember kids, “public” info is now: Your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages.
One final note…be sure to double check all your privacy settings after you run the wizard. I found a few settings that reverted back to settings I never had. So what are your thoughts? Will this make you lock your profile down more? Do you care? Is privacy dead anyway? Will Zombies destroy us all?
Enterprise Open Source Intelligence Gathering – Part 3 Monitoring and Social Media Policies
Filed under Penetration Testing, Social Networks
Tagged as blog, facebook, googledorks, informationgathering, linkedin, maltego, myspace, pentest, rss, socialmedia, socialnetworking, socnetsec, speaking, twitter, yahoopipes
Tagged as blog, facebook, googledorks, informationgathering, linkedin, maltego, myspace, pentest, rss, socialmedia, socialnetworking, socnetsec, speaking, twitter, yahoopipes
This is the final article in my series on Enterprise Open Source Intelligence Gathering. This information relates to the main topics from my presentation that I am giving this week at the 7th Annual Ohio Information Security Summit. For more background information, see part one. If you missed part two (blogs, message boards and metadata) you can check that out here. This last article will be about putting together a simple monitoring program/toolkit and creating a social media policy for your company.
OSINT and Monitoring
After reading this series you are probably asking yourself…what do I do will all of these feeds and information that I have gathered? Much of the information you have found about your company may be pretty overwhelming and you might find there is a ton of noise to filter through to get to the “good stuff”. The next sections of this article will hopefully help you organize these feeds so you can begin a basic monitoring program.
What do you want to monitor?
This first thing you want to ask yourself…what do you want to monitor and what is most important? You probably have noticed that it would be difficult to monitor the entire Internet so focus on what is relevant to your company or business. Also, you want to pay particular attention to the areas of social media that your business has a presence on. For example, if your business has a Facebook page, LinkedIn group and Twitter account you should be paying special attention to these first. Why? These are the sites that you have most likely allowed certain employees to use this form of media for business purposes. Lastly, keep in mind that choosing what to monitor should be a group collaborative effort. Get your marketing and public relations people involved in the decision making process. As a bonus, it helps with making security everyone’s business.
Free tools to aggregate this information
Lets discuss briefly some tools to aggregate and monitor all the information sources you have decided as important. There are two tools that I will talk about. Yahoo! Pipes and RSS readers (specifically Google Reader).
1. Yahoo! Pipes
First, what is Yahoo! Pipes? The best description is probably found on the Yahoo! Pipes main page:
“Pipes is a powerful composition tool to aggregate, manipulate, and mashup content from around the web. Like Unix pipes, simple commands can be combined together to create output that meets your needs:
- combine many feeds into one, then sort, filter and translate it.
- geocode your favorite feeds and browse the items on an interactive map.
- grab the output of any Pipes as RSS, JSON, KML, and other formats.
The great thing about pipes is that there are already many different mashups that have already been created! If you find one that doesn’t do what you like it to…you can simply copy a pipe, modify it and use it as your own. Creating a pipe is really easy as well. Yahoo! provides good documentation on their site even with video tutorials if you are lost. Everything is done in a neat visual “drop-n-drag” GUI environment. For example, you could take some of the sites that you find a bit more difficult to monitor, configure them in a pipe and send the output to RSS. Once you have an RSS feed you can plug this into a RSS reader (like Google Reader) for monitoring. Here are a few of my favorite pipes (pre-built) that can be used for monitoring:
Social Media Firehose
Social Media Monitoring Tool
Aggregate Social Media Feeds by User & Tag
Twitter Sniffer for Brands
Facebook Group RSS Feed, improved version here
2. Google Reader or your favorite RSS reader
The second part of your monitoring toolkit is to put your Yahoo! Pipe RSS feeds and the other feeds you determined as important and put them into the RSS reader of your choice. I personally like Google Reader because it’s easy to use and manage. However, you may prefer a desktop client or some other type of reader…all up to you.
What’s easy and works best?
First, assign someone to look at the information you are monitoring. This should be someone in your information security department and someone with social media skill sets. Next, create RSS Feeds from identified sites and utilize Yahoo! Pipes to customize and filter out content if you need to. Finally, plug these feeds into your RSS reader and set up procedures for monitoring. When will you check these feeds? What happens if the monitoring person is out? Is there a backup for this person? These are just a few of the things you need to think about when putting together these procedures. There may be many more (or less) depending on your business. Lastly, for sites you can’t monitor automatically determine manual methods and be sure to build procedures around them.
What is the company social media strategy? Do you even have one?
The first thing you need to do before you create policies or standards around what employees can or can’t do on social media/networking sites (related to your business), is to define a social media strategy. Without a strategy defined it would be nearly impossible to determine a monitoring program without knowing what areas of social media your business is going to participate in. This is a very important step and is something that your marketing/public relations/HR departments need to determine before security gets involved.
Internet postings or the “social media” policy
What if you have policies for Internet usage already in your company? If you do, have you checked to see if they include specific things like social networks? How about commenting on company news or issues on public social networks? This is an area where many of the “standard” Infosec or HR policies don’t cover or don’t mention procedures about how employees use this new world of social media. The other important part is that you need to partner with marketing/public relations/HR to collaborate on this policy. The design and creation needs to have input from all of these areas of the business, especially these groups because they are going to be the main drivers for the use of social media. Lastly, what is acceptable for employees to post? Keep in mind that employees have Internet access *everywhere* nowadays. iPhones, smartphones, Google phones…employees have these and guess what? They are most likely using them at work. How do you know that they are not commenting about company confidential business? With this new generation of devices…the line between personal and company business will continue to blur. Oh, and this is just one simple example!
Examples of good policies to reference
So where do you go from here? Create the policy! The last part of this article has examples of good policies that you can reference when creating your own policies. There is lots of good information in the following links and you can customize these for your own environment and business situation:
Cisco Internet Postings Policy
Intel Social Media Policy
4 Tips for Writing a Good Social Media Policy
10 Steps to Creating a Social Media Policy for your Company
Remember, monitoring the use of social media and creating policies around them is new and potentially uncharted territory for many organizations. Hopefully with this series (and the related presentation) will help guide you and your organization to make the right decisions on finding information about your company, creating a monitoring program and working with your business partners to create the right policies for your business.
UPDATE: You can download my slide deck now on SlideShare.
Enterprise Open Source Intelligence Gathering – Part 2 Blogs, Message Boards and Metadata
Filed under Penetration Testing, Social Networks
Tagged as blog, facebook, googledorks, informationgathering, linkedin, maltego, myspace, pentest, socialmedia, socialnetworking, socnetsec, speaking, twitter
Tagged as blog, facebook, googledorks, informationgathering, linkedin, maltego, myspace, pentest, socialmedia, socialnetworking, socnetsec, speaking, twitter
This post is part two of my three part series on Enterprise Open Source Intelligence Gathering. This information relates to the presentation that I am giving this week at the 7th Annual Ohio Information Security Summit. For more background information, see part 1. Part three will be about putting together a simple monitoring program/toolkit and creating a Internet postings (social media) policy for your company.
Part one of the series discussed ways to gather OSINT on social networks and some of the challenges this creates. Besides gathering OSINT on social networks there are many more sources of information that company information may be posted on. These include blogs, message boards and document repositories. One of the byproducts of finding documents is metadata, which I will explain in more detail below.
OSINT and Blogs
Blogs can be searched via any traditional search engine, however, the challenge with blogs are not necessarily the posts themselves but the comments. When it comes to blog posts the comments are usually where the action is, especially when it comes to your current and former employees (even customers) commenting on highly sensitive pubic relations issues that a company might be conducting damage control over. The other point to make about commenting is that employees might be posting things that be violating one of your policies and cause brand reputation problems. Examples of this are all the countless leaks of profits, downsizing, confidential information and more that the news media reports on. Wouldn’t be great to be monitoring blogs and their comments to find these things out before they go viral?
Listed below are some of the blog and comment search sites that I recommend you add to your monitoring arsenal which I will talk about creating in part three:
Social Mention http://socialmention.com (has *great* comment search and RSS for monitoring)
Google Blog Search http://blogsearch.google.com (great for creating RSS feeds and very customizable)
Blogpulse http://www.blogpulse.com/ (has comment search)
Technorati http://technorati.com/
IceRocket http://www.icerocket.com/
BackType http://www.backtype.com/ (has comment search)
coComment http://www.cocomment.com/ (has comment search)
OSINT and Message Boards
Message boards have always been a great source of OSINT. Message boards date back before blogs were popular and are still widely used today. Because there are so many message boards out there that could contain good OSINT you really need to use message board search engines unless you know about specific message boards that you know your employees use (or could). Good examples of these are job related message boards like vault.com or Yahoo/Google Finance discussion forums or groups centered around stock trading.
Here is my list of message board search engines and a few that might be more specific for a company:
Google Groups http://groups.google.com/ (always a good choice for creating RSS feeds and very customizable)
Yahoo! Groups http://groups.yahoo.com/
Big Boards http://www.big-boards.com/ (huge list!)
BoardReader http://boardreader.com/ (very good search and RSS feeds of results)
Board Tracker http://boardtracker.com/ (very good search and RSS feeds of results)
More specific:
Craigslist Forums http://www.craigslist.org/about/sites (RSS available)
Vault www.vault.com (job/employee discussions)
Google Finance http://www.google.com/finance (search for company stock symbol and check out the discussions)
XSSed http://www.xssed.com/ (XSS security vulnerabilities)
Full Disclosure Mailing List http://seclists.org/fulldisclosure/ (Security vulnerability disclosure)
Document Repositories
Something that I have seen more of recently are sites called document repositories. These sites either aggregate documents found from various sources on the Internet or people can upload their own documents and presentations for public sharing purposes. These sites are probably my favorite since you will find all sorts of interesting information! Here is my list of favorites:
Docstoc http://www.docstoc.com/
*Really good document search engine. I wish there was better RSS for it but they have an API in which Yahoo! Pipes could probably be used.
Scribd http://www.scribd.com/ (RSS feed of results)
SlideShare http://www.slideshare.net/ (RSS feed of results)
PDF Search Engine http://www.pdf-search-engine.com/
Toodoc http://www.toodoc.com/
Great! You found documents. Now what?
Once you find interesting documents be sure to check out the document metadata. What is metadata? Metadata is simply “data about data”. Metadata in documents is traditionally used for indexing files as well as finding out information about the document creator and what software was used to create the document. It goes without saying that document metadata is a treasure trove of information that could be used against your company. For example, vulnerable versions of software that can be used for client side attacks, OS versions, path disclosure, user id’s and more can all be viewed through document metadata.
There are lots of good tools to pull out metadata from documents and pictures. With some of these tools it’s even possible to write a script to automatically strip metadata from documents and pictures (start with the script Larry Pesce wrote in his SANS paper below). However, the best method for removing metadata in my opinion is to make sure it’s removed (or limited) in the first place! If you are creating a new document make sure you are removing it or not allowing the application to save some of the more revealing things like user id’s and OS/version numbers. If you want more detail on metadata and how to use some of the tools that are available check out the great paper over at the SANS InfoSec Reading Room titled “Document Metadata, the Silent Killer created by Larry Pesce. Here is a short list of tools I use (or have used) to analyze metadata:
EXIFtool http://www.sno.phy.queensu.ca/~phil/exiftool/ (my personal favorite! The swiss army knife of metadata tools)
Metagoofil http://www.edge-security.com/metagoofil.php
Maltego (built-in metadata transform) http://www.paterva.com/web4/index.php/maltego (another favorite!)
Meta-Extractor http://meta-extractor.sourceforge.net/
FOCA http://www.informatica64.com/foca/
What’s the deal with brand reputation?
One last point I want to make is about brand reputation. You may ask yourself, how does brand reputation relate to information security? Why should we care? I have found it interesting that many of us in information security have been asked to do more research on brand reputation issues because no one else in the company had those types of skill sets to monitor information. Brand reputation is vital to an organization, even more so in this economy. Think of the CIA triad…Confidentiality, Integrity and Availability. All three have aspects that reflect brand reputation. All of us in information security need to be thinking of brand reputation in our daily job.
Next up in part three
In part three I will talk about setting up a simple monitoring program with the sites and tools I have mentioned thus far. This will include how to start using Yahoo! Pipes to aggregate many of the feeds I talked about. I will also conclude with information on how to create a Internet Postings Policy or now better known as a Social Media Policy for your company and why this is more important then ever.
